CN116215444A

CN116215444A - Enhanced biometric authorization

Info

Publication number: CN116215444A
Application number: CN202211425176.2A
Authority: CN
Inventors: 阿里·哈桑尼; M·马丁内兹; 约翰·罗伯特·范维梅尔施; J·施瓦兹; M·卡卡雷
Original assignee: Ford Global Technologies LLC
Current assignee: Ford Global Technologies LLC
Priority date: 2021-12-02
Filing date: 2022-11-15
Publication date: 2023-06-06
Also published as: DE102022131640A1; US20230174017A1; US11912234B2

Abstract

The present disclosure provides "enhanced biometric authorization". Upon authorizing the user via the challenge biometric data, updating the user data is determined based on detecting the trigger. Upon detecting the trigger prior to authenticating the user, the user data is updated based on authenticating the user using the challenge biometric data. Upon detecting the trigger after authenticating the user, updating the user data using the updated challenge biometric data based on a confidence score of the second biometric data exceeding a threshold. Controlling the structural component based on the updated user data.

Description

Enhanced biometric authorization

Technical Field

The present disclosure relates to biometric authorization in a vehicle.

Background

A computer performing biometric authorization may receive sensor data to determine the identity of a person seeking access authorization granted by the computer. The biometric authorization may comprise, for example, facial recognition, i.e., a biometric authorization that uses a facial image to identify a person. Biometric authorization may rely on the acquisition of accurate biometric data.

Disclosure of Invention

The computer may use biometric authorization to control access to devices, objects, and/or applications (e.g., to vehicles, buildings, computers, cell phones, other devices, etc.). For example, biometric authorization may be implemented to allow access by authorized personnel, such as access to a vehicle or building, and to deny access by unauthorized personnel. Biometric authorization may require a user to provide one or more types of biometric data and/or to provide biometric data to a specified sensor in a particular manner (e.g., in a specified sequence), etc., to generate user data that may be used to determine authorization. The biometric data is data representing a measurement result of a physiological characteristic. One type of biometric data is data representing a particular physiological characteristic, such as the distance between lines in a fingerprint, the distance between facial features, and so forth. Biometric authorization a user may be authorized by comparing biometric data provided by the user with biometric data subsequently obtained via sensors in a vehicle, building, computing device, or the like.

The results of performing the biometric authorization may be downloaded to devices that grant or deny authorization and rights to access structures (e.g., vehicles, buildings, rooms, access areas, etc.). Successful authorization may be used for security applications, such as accessing a location, e.g., a passenger compartment of a vehicle, a room, a building, etc., by unlocking a door. In other examples, successful authorization may be used to enable vehicle or building controls, or further alternatively or additionally to access devices such as a computer, such as by enabling an input device such as a keyboard or mouse or granting access to a computer file.

Authorizing a user for a vehicle will be described herein as a non-limiting example of biometric authorization. That is, the vehicle will be described herein as a non-limiting example of a structure. It should be appreciated that other types of structures (e.g., buildings, garages, access areas, etc.) may utilize the techniques described herein for biometric authorization.

The vehicle may be equipped with computing devices, networks, sensors, and controllers to acquire and/or process data about the environment and allow access to the vehicle based on the data. For example, a camera in the vehicle may be programmed to acquire images of the approaching user and, upon determining the identity of the user based on biometric authorization, e.g., via facial recognition software, unlock the vehicle doors to allow the user to enter the passenger compartment of the vehicle. Similarly, a camera included in the passenger compartment of the vehicle may acquire one or more images of the user and accept commands to operate the vehicle from the user when determining the identity of the user based on biometric authorization, e.g., via facial recognition software.

However, the user's biometric data may change over time, for example, due to weight gain or loss, age, hair growth or loss, etc., which may reduce the accuracy of the user's biometric authorization. Advantageously, the vehicle computer may determine whether triggering occurs after biometric authorization of the user based on challenge biometric data (i.e., biometric data obtained from the user in real-time or near real-time to compare with stored biometric data to perform biometric authorization for the user). The trigger indicates that the user's user data should be updated with the user's updated biometric data. Based on determining that the trigger occurred prior to authenticating the user, the vehicle computer may update the user data to include challenge biometric data upon authenticating the user. Based on authenticating the user prior to determining that the trigger has occurred, the vehicle computer may update the user data to include updated challenge biometric data upon determining that the trigger has occurred. Updating the user data using the challenge biometric data in response to determining that the trigger occurred allows the vehicle computer to maintain the user data corresponding to the current user biometric data without input from the user, which may reduce the likelihood that an authorized user will not be authorized by the biometric or an unauthorized user will be authorized by the biometric.

A system includes a computer including a processor and a memory storing instructions executable by the processor to determine update user data based on determining triggers when a user is authorized via challenge biometric data. The instructions further include instructions for: upon determining the trigger prior to authenticating the user, the user data is updated based on authenticating the user using the challenge biometric data. The instructions further include instructions for: upon determining the trigger after authenticating the user, the user data is updated using the updated challenge biometric data based on a confidence score of the updated challenge biometric data exceeding a threshold. The instructions further include instructions for: controlling the structural component based on the updated user data.

The triggering may include one or more of expiration of a timer, a confidence score of the challenge biometric data being less than a second confidence threshold, or presence of a variable characteristic of the user.

The instructions may also include instructions for: upon detecting the trigger, the challenge biometric data is stored in a buffer based on a confidence score of the challenge biometric data exceeding the threshold. The instructions may also include instructions for: the challenge biometric data is deleted from the buffer when the user data is updated with the challenge biometric data.

The instructions may also include instructions for: the challenge biometric data is deleted from the buffer based on the user not being authenticated within a predetermined time of storing the challenge biometric data in the buffer.

The instructions may also include instructions for: the challenge biometric data is prevented from being stored in a buffer based on a determination that the user data is not updated.

The instructions may also include instructions for: storing the challenge biometric data in the buffer is prevented based on the confidence score of the challenge biometric data not exceeding the threshold.

The instructions may also include instructions for: the challenge biometric data is encrypted prior to storing the challenge biometric data in the buffer.

The instructions may also include instructions for: the encrypted challenge biometric data is retrieved from the buffer when it is determined to update the user data based on the challenge biometric data. The instructions may also include instructions for: decrypting the challenge biometric data prior to updating the user data.

The instructions may also include instructions for: authorizing the user based on determining that a confidence score of the challenge biometric data is greater than the threshold.

The instructions may also include instructions for: authenticating the user based on determining that the confidence score of the challenge biometric data is greater than a second confidence threshold. The second confidence threshold may be greater than the threshold.

The instructions may also include instructions for: authenticating the user based on helper challenge biometric data, the helper challenge biometric data being a different type of biometric data than the challenge biometric data.

The instructions may also include instructions for: authentication is performed based on user input.

The instructions may also include instructions for: authentication is performed based on detecting an authorized device.

The instructions may also include instructions for: the user data is additionally updated based on user input.

The instructions may also include instructions for: instructions are provided to the user to provide updated biometric data based on the confidence score of the challenge biometric data not exceeding the threshold. The instructions may also include instructions for: the user data is updated using the updated biometric data when the updated biometric data is obtained.

A method includes determining to update user data based on determining a trigger upon authorizing a user via challenge biometric data. The method further includes updating the user data based on authenticating the user using the challenge biometric data when the trigger is determined prior to authenticating the user. The method also includes updating the user data with the updated challenge biometric data based on a confidence score of the updated challenge biometric data exceeding a threshold upon determining the trigger after authenticating the user. The method further includes controlling a structural component based on the updated user data.

The method may further include storing the first biometric data in a buffer based on a confidence score of the challenge biometric data exceeding the threshold when the trigger is detected. The method may further include deleting the challenge biometric data from the buffer when the user data is updated with the challenge biometric data.

The method may further include deleting the challenge biometric data from the buffer based on the user not being authenticated within a predetermined time of storing the challenge biometric data in the buffer.

The method may further include authorizing the user based on determining that a confidence score of the challenge biometric data is greater than the threshold.

Also disclosed herein is a computing device programmed to perform any of the above method steps. Also disclosed herein is a computer program product comprising a computer readable medium storing instructions executable by a computer processor to perform any of the above-described method steps.

Drawings

FIG. 1 is a block diagram illustrating an exemplary control system for a vehicle.

Fig. 2 is a diagram illustrating an exemplary passenger compartment of a vehicle.

Fig. 3 is a diagram illustrating a user in an exemplary passenger compartment of a vehicle.

Fig. 4A is a first portion of a flow chart of an exemplary process for updating user data to authorize a user for a biometric.

Fig. 4B is a second portion of the flow chart of fig. 4A.

Detailed Description

Referring to fig. 1-2, an exemplary control system 100 includes a vehicle 105. The vehicle computer 110 in the vehicle 105 receives data from the sensors 115. The vehicle computer 110 is programmed to determine to update the user data based on determining the trigger upon authorizing the user via the challenge biometric data. The vehicle computer 110 is further programmed to update the user data based on the authenticated user using the challenge biometric data prior to determining the trigger. The vehicle computer 110 is further programmed to update the user data with the updated challenge biometric data based on the confidence score of the updated challenge biometric data exceeding the first confidence threshold after authenticating the user and determining the trigger. The vehicle computer 110 is also programmed to control the vehicle components 125 based on the updated user data.

Turning now to fig. 1, the vehicle 105 includes a vehicle computer 110, sensors 115, actuators 120 for actuating various vehicle components 125, and a communication module 130 of the vehicle 105. The communication module 130 allows the vehicle computer 110 to communicate with the remote server computer 140 and/or other vehicles, for example, via messaging or broadcast protocols (such as Dedicated Short Range Communications (DSRC), cellular, and/or other protocols that may support vehicle-to-vehicle, vehicle-to-infrastructure, vehicle-to-cloud communications, etc.), and/or via the packet network 135.

The vehicle computer 110 includes, for example, a known processor and memory. The memory includes one or more forms of computer-readable media and stores instructions executable by the vehicle computer 110 for performing operations including as disclosed herein. The vehicle computer 110 may also include two or more computing devices that cooperate to perform the operations of the vehicle 105, including the operations as described herein. Further, the vehicle computer 110 may be a general purpose computer having a processor and memory as described above, and/or may include dedicated electronic circuitry including an ASIC manufactured for specific operations, such as an ASIC for processing sensor 115 data and/or transmitting sensor 115 data. In another example, the vehicle computer 110 may include an FPGA (field programmable gate array), which is an integrated circuit manufactured to be configurable by a user. Typically, digital and mixed signal systems such as FPGAs and ASICs are described using hardware description languages such as VHDL (very high speed integrated circuit hardware description language) in electronic design automation. For example, ASICs are manufactured based on VHDL programming provided prior to manufacture, while logic components within FPGAs may be configured based on VHDL programming stored, for example, in a memory electrically connected to FPGA circuitry. In some examples, a combination of processors, ASICs, and/or FPGA circuitry may be included in the vehicle computer 110.

The vehicle computer 110 may operate and/or monitor the vehicle 105 in an autonomous, semi-autonomous mode or an non-autonomous (or manual) mode, i.e., may control and/or monitor the operation of the vehicle 105, including the control and/or monitoring component 125. For purposes of this disclosure, autonomous mode is defined as a mode in which each of propulsion, braking, and steering of the vehicle 105 is controlled by the vehicle computer 110; in semi-autonomous mode, the vehicle computer 110 controls one or both of propulsion, braking, and steering of the vehicle 105; in the non-autonomous mode, a human operator controls each of propulsion, braking, and steering of the vehicle 105.

The vehicle computer 110 may include one or more of braking, propulsion (e.g., controlling acceleration of the vehicle 105 by controlling one or more of an internal combustion engine, an electric motor, a hybrid engine, etc.), steering, transmission, climate control, interior and/or exterior lights, horns, doors, etc. programmed to operate the vehicle 105, and determining whether and when the vehicle computer 110 (rather than a human operator) controls such operations.

The vehicle computer 110 may include or be communicatively coupled to one or more processors, such as included in an Electronic Controller Unit (ECU) or the like included in the vehicle 105 for monitoring and/or controlling various vehicle components 125, such as a transmission controller, a brake controller, a steering controller, and the like, for example, via a vehicle communication network, such as a communication bus, as described further below. The vehicle computer 110 is typically arranged for communication over a vehicle communication network, which may include a bus in the vehicle 105, such as a Controller Area Network (CAN) or the like, and/or other wired and/or wireless mechanisms.

Via the vehicle 105 network, the vehicle computer 110 may transmit and/or receive messages (e.g., CAN messages) to and/or from various devices (e.g., sensors 115, actuators 120, ECU, etc.) in the vehicle 105. Alternatively or additionally, where the vehicle computer 110 actually includes a plurality of devices, a vehicle communication network may be used for communication between the devices represented in this disclosure as the vehicle computer 110. Further, as mentioned below, various controllers and/or sensors 115 may provide data to the vehicle computer 110 via the vehicle communication network.

The sensors 115 of the vehicle 105 may include a variety of devices such as are known for providing data to the vehicle computer 110. For example, the sensors 115 may include one or more light detection and ranging (lidar) sensors 115 or the like disposed on top of the vehicle 105, behind a front windshield of the vehicle 105, around the vehicle 105, etc., that provide the relative position, size, and shape of objects around the vehicle 105. As another example, one or more radar sensors 115 secured to the bumper of the vehicle 105 may provide data to provide the location of an object, a second vehicle, etc. relative to the location of the vehicle 105. Alternatively or additionally, the sensors 115 may also include, for example, one or more camera sensors 115 (e.g., front view, side view, etc.) that provide images from an area surrounding the vehicle 105. As another example, the vehicle 105 may include one or more sensors 115, such as camera sensors 115, mounted inside a cabin of the vehicle 105 and oriented to capture images of a user in the cabin of the vehicle 105. In the context of the present disclosure, an object is a physical (i.e., substance) item that has a mass and can be represented by a physical phenomenon (e.g., light or other electromagnetic waves or sounds, etc.) that can be detected by the sensor 115. Thus, the vehicle 105, as well as other items including those discussed below, fall within the definition of "object" herein.

The vehicle computer 110 is programmed to receive data from the one or more sensors 115, e.g., substantially continuously, periodically, and/or upon direction from the remote server computer 140, etc. The data may include, for example, the location of the vehicle 105. The location data specifies one or more points on the ground and may be in a known form, such as geographic coordinates, such as latitude and longitude coordinates, obtained via a navigation system using Global Positioning System (GPS) and/or dead reckoning as is known. Additionally or alternatively, the data may include a location of an object (e.g., vehicle 105, a sign, a tree, etc.) relative to vehicle 105. As one example, the data may be image data of an environment surrounding the vehicle 105. In such examples, the image data may include one or more objects and/or markers, such as lane markers, on or along the road. As another example, the data may be image data of a cabin of the vehicle 105 (e.g., including a user and a seat in the cabin of the vehicle 105). Image data herein means digital image data that can be acquired by the camera sensor 115, i.e., including pixels that typically have intensity values and color values. The sensor 115 may be mounted to any suitable location in or on the vehicle 105, such as on a bumper of the vehicle 105, on a roof of the vehicle 105, etc., to collect an image of the environment surrounding the vehicle 105.

The actuators 120 of the vehicle 105 are implemented via circuits, chips, or other electronic and/or mechanical components that may actuate various subsystems of the vehicle 105 according to appropriate control signals as is known. The actuators 120 may be used to control components 125, including braking, acceleration, and steering of the vehicle 105.

In the context of the present disclosure, the vehicle component 125 is one or more hardware components adapted to perform mechanical or electromechanical functions or operations, such as moving the vehicle 105, decelerating or stopping the vehicle 105, steering the vehicle 105, and the like. Non-limiting examples of components 125 include propulsion components (which include, for example, an internal combustion engine and/or an electric motor, etc.), transmission components, steering components (which may include, for example, one or more of a steering wheel, a steering rack, etc.), suspension components (which may include, for example, one or more of a damper such as a shock absorber or a strut, a sleeve, a spring, a control arm, a ball joint, a link, etc.), braking components, parking assist components, adaptive cruise control components, adaptive steering components, one or more passive restraint systems (e.g., airbags), movable seats, etc.

The vehicle 105 also includes a human-machine interface (HMI) 118.HMI 118 includes user input devices such as knobs, buttons, switches, pedals, joysticks, touch screens, and/or microphones, and the like. The input device may include a sensor 115 to detect user input and provide user input data to the vehicle computer 110. That is, the vehicle computer 110 may be programmed to receive user input from the HMI 118. The user can provide user input via the HMI 118, for example, by selecting a virtual button on a touch screen display, by providing voice commands, and the like. For example, a touch screen display included in the HMI 118 may include a sensor 115 to detect a user selecting a virtual button on the touch screen display, such as to select or deselect an operation, and the input may be received in the vehicle computer 110 and used to determine a selection of a user input.

HMI 118 also typically includes output devices such as a display (including a touch screen display), speakers, and/or lights that output signals or data to a user. HMI 118 is coupled to the vehicle communication network and may send and/or receive messages to/from vehicle computer 110 and other vehicle subsystems.

Further, the vehicle computer 110 may be configured to communicate with devices external to the vehicle 105 via a vehicle-to-vehicle communication module or interface, such as by vehicle-to-vehicle (V2V) or vehicle-to-infrastructure (V2X) wireless communication (cellular and/or DSRC, etc.) with another vehicle and/or remote server computer 140 (typically via direct radio frequency communication). The communication module may include one or more mechanisms available to the vehicle's computer for communication, such as a transceiver, including any desired combination of wireless (e.g., cellular, wireless, satellite, microwave, and radio frequency) communication mechanisms, as well as any desired network topology (or topologies when multiple communication mechanisms are utilized). Exemplary communications provided via the communication module include cellular, bluetooth, IEEE 802.11, ultra Wideband (UWB), near Field Communication (NFC), dedicated Short Range Communication (DSRC), and/or Wide Area Network (WAN) including the internet, which provide data communication services.

Network 135 represents one or more mechanisms by which vehicle computer 110 may communicate with a remote computing device (e.g., remote server computer 140, another vehicle computer, etc.). Thus, the network 135 may be one or more of a variety of wired or wireless communication mechanisms, including any desired combination of wired (e.g., cable and fiber) and/or wireless (e.g., cellular, wireless, satellite, microwave, and radio frequency) communication mechanisms, as well as any desired network topology (or topologies when multiple communication mechanisms are utilized)). Exemplary communication network 135 includes a wireless communication network (e.g., using

Low power consumption (BLE), UWB, NFC, IEEE 802.11, vehicle-to-vehicle (V2V) such as Dedicated Short Range Communication (DSRC), etc.), local Area Networks (LANs), and/or Wide Area Networks (WANs), including the internet.

The remote server computer 140 may be a conventional computing device programmed to provide operations such as those disclosed herein, i.e., including one or more processors and one or more memories. In addition, the remote server computer 140 may be accessed via a network 135 (e.g., the Internet, a cellular network, and/or some other wide area network).

The portable device 145 may be a conventional computing device programmed to provide operations such as those disclosed herein, i.e., including one or more processors and one or more memories. The portable device 145 may be any of a variety of computers that may be used when carried by a person, such as a smart phone, tablet, personal digital assistant, smart watch, and the like. Further, portable device 145 may be accessed via network 135 (e.g., the internet, a cellular network, and/or some other wide area network).

Fig. 2 is a diagram of a top view of an exemplary passenger compartment 200 of the exemplary vehicle 105. The vehicle 105 may include a body (not numbered) defining a passenger compartment 200 for receiving an occupant (if any) of the vehicle. The vehicle body includes doors and windows that may open, for example, to allow access to and egress from the passenger compartment 200.

The passenger compartment 200 may extend across the vehicle 105, i.e., from one side of the vehicle 105 to the other. The passenger compartment 200 includes a front end (not numbered) and a rear end (not numbered), wherein the front end is forward of the rear end during forward movement of the vehicle 105. The passenger compartment 200 includes one or more seats (not numbered). The seats may be arranged in any suitable arrangement. For example, the passenger compartment 200 may include one or more front row seats disposed forward of the passenger compartment 200 and one or more rear row seats disposed rearward of the front row seats. The passenger compartment 200 may also include a third row of seats at the rear of the passenger compartment 200. In fig. 2, the front row seats and the rear row seats are shown as bucket seats, and the third row seats are shown as bench seats, but the seats may be of other types.

The vehicle 105 may include any suitable number (e.g., one or more) of sensors 115. For example, as shown in fig. 2, the vehicle 105 may include a plurality of external sensors 115a positioned to monitor the environment surrounding the vehicle 105 and a plurality of internal sensors 115b positioned to monitor the passenger compartment 200 of the vehicle 105.

The vehicle computer 110 is programmed to determine that the user is in the passenger compartment 200 (see fig. 3). The vehicle computer 110 may detect a user in the passenger compartment 200, for example, based on data from the interior sensors 115b. For example, the vehicle computer 110 may monitor data from the internal sensor 115b to detect that the user has moved into the field of view of the internal sensor 115b. As another example, the vehicle computer 110 may detect that the user is in the passenger compartment 200 based on receiving user input via the HMI 118. For example, the vehicle computer 110 may actuate the HMI118 to display a virtual button that the user may select to indicate the user in the passenger compartment 200. In other words, the HMI118 may activate a sensor that may detect a user selection of a virtual button to indicate to the user that the passenger compartment 200 is in. Upon detecting a user input, the HMI118 may provide the user input to the vehicle computer 110 and the vehicle computer 110 may determine that the user is in the passenger compartment 200 based on the user input.

As yet another example, the vehicle computer 110 may determine that the user is in the passenger compartment 200 based on detecting the portable device 145 associated with the user in the passenger compartment 200. For example, the vehicle computer 110 may be programmed to transmit Radio Frequency (RF) signals, e.g., BLE, ultra Wideband (UWB), etc., via a short range broadcast protocol, for example. The vehicle computer 110 may then detect the portable device 145 based on detecting the corresponding transmitted RF signal or the return of the responsive RF signal transmitted from the portable device 145, e.g., continuously or in response to detecting the RF signal transmitted by the vehicle computer 110. Upon detection of the portable device 145, the vehicle computer 110 can request location data from the portable device 145. The portable device 145 may transmit location data (e.g., geographic coordinates) of the portable device 145 to the vehicle computer 110, for example, via the network 135. Upon receiving the location data of the portable device 145, the vehicle computer 110 can compare the location data to a GPS-based geofence. Geofences herein have the conventional meaning of the boundaries of an area defined by a set of geographic coordinates. In such examples, the geofence designates the perimeter of the passenger compartment 200. The vehicle computer 110 may then determine that the user is within the passenger compartment 200 based on the location data of the portable device 145 indicating that the portable device 145 is within the geofence.

Upon determining that the user is in the passenger compartment 200, the vehicle computer 110 may query the memory to select user data associated with the user. For example, the vehicle computer 110 may maintain a look-up table or the like, e.g., stored in a memory of the vehicle computer 110, that associates the user with corresponding biometric data. Upon determining to initiate biometric enrollment (as discussed below), the vehicle computer 110 may update the lookup table to associate the identified user with the first biometric data. The vehicle computer 110 may control the operation of the vehicle 105 based on user data of the user.

The vehicle computer 110 may store user data for each of a plurality of potential users, for example, in a memory. The user data may track authorized users, i.e., users having access to the vehicle 105, and the user data may be updated over time as the user's biometric data changes (e.g., due to weight gain or loss, age, hair growth or loss, etc.). The user data includes biometric data of the corresponding user and user authorization of the corresponding user. A user authorization, as used herein, specifies one or more vehicle 105 features for which the user has access rights and/or one or more operating parameters for which the user has control rights.

In the context of this document, a "vehicle feature" is a setting of the vehicle component 125 that may be selected by user input, for example via the HMI 118. Non-limiting examples of features of the vehicle 105 include heating and/or cooling seats, climate control in various areas or regions of the passenger compartment 200, heating a steering wheel, automatically dimming a rear view mirror, heating a side view mirror, multi-color lighting, controlling a radio, controlling a sunroof, and the like.

In the context of this document, an "operating parameter" is an actual value of a measurement of a physical characteristic of the vehicle 105 or the environment surrounding the vehicle 105 during operation of the vehicle. Various operating parameters during operation of the vehicle 105 may be determined. A non-limiting list of operating parameters includes the speed of the vehicle 105, the following distance between the vehicles, the stop position, the acceleration rate of the vehicle 105, the destination of the vehicle 105, the route of the vehicle 105, and the like.

In examples where the structure is a building, the user authorization may specify a building or a room therein that allows or prevents the user from entering. Additionally or alternatively, the user authorization may specify one or more controls of the building that allow or prevent user control, e.g., a light control, a heating control, a cooling control, a speaker control, etc.

When no user data is associated with the user, the vehicle computer 110 may be programmed to initiate biometric enrollment of the user based on receiving user input. For example, the vehicle computer 110 may actuate the HMI 118 to display a virtual button that the user may select to initiate biometric enrollment. That is, the HMI 118 may actuate a sensor that may detect a user selection of a virtual button. Upon detecting a user input, the HMI 118 may provide the user input to the vehicle computer 110 and the vehicle computer 110 may initiate biometric enrollment. The vehicle computer 110 can provide initial instructions to the user to provide enrollment biometric data. For example, the vehicle computer 110 may actuate the HMI 118 to output an initial instruction (see fig. 3). The initial instructions specify actions to be performed by the user, e.g., interacting with (such as facing and/or touching) the specified sensor, adjusting the user's pose with respect to the specified sensor, removing accessories (such as hats, glasses, etc.), speaking words or phrases, etc., allowing the vehicle computer 110 to obtain the user's registered biometric data. Biometric enrollment in this document means generating user data based on obtaining enrolled (i.e., baseline) biometric data of a given user.

When the user data is associated with the user, the vehicle computer 110 is programmed to perform biometric authorization of the user based on the challenge biometric data, as discussed below. The challenge biometric data is obtained after generating user data for the user.

During biometric enrollment, the vehicle computer 110 may actuate one or more sensors 115 to obtain enrolled biometric data of the user. For example, the vehicle computer 110 may actuate the sensor 115 that is positioned to face the user. The vehicle computer 110 can actuate the various sensors 115 to obtain the corresponding types of enrolled biometric data. For example, the vehicle computer 110 may actuate the image sensor 115 to obtain image data including facial characteristics of the user. Additionally or alternatively, the vehicle computer 110 may actuate the capacitive touch sensor 115 to obtain data including the user's fingerprint. The vehicle computer 110 may verify the biometric data, for example, by employing known watermarking techniques that encrypt a data string that indicates the validity of the biometric data and include the encrypted data string in the biometric data.

Upon obtaining the enrolled biometric data, the vehicle computer 110 generates user data for the user. For example, the vehicle computer 110 may maintain a look-up table, e.g., stored in a memory of the vehicle computer 110, that associates the user with corresponding biometric data. Upon determining to initiate the biometric registration, the vehicle computer 110 may update the look-up table to associate the user with the registered biometric data.

In addition, the vehicle computer 110 may actuate the HMI 118 to display virtual buttons corresponding to features and various operating parameters that the user may select to designate various vehicles 105 authorized by the user. In other words, the HMI 118 may activate a sensor that detects that the user selects a virtual button to specify user authorization. Upon detecting a user input, the HMI 118 may provide the user input to the vehicle computer 110 and the vehicle computer 110 may determine user authorization based on the user input. The vehicle computer 110 may then update the user data to include the determined user authorization. That is, the user data may associate user authorizations with corresponding users.

In generating the user data, the vehicle computer 110 may control the vehicle 105 based on the user data (e.g., user authorization) of the user. For example, the vehicle computer 110 may control a lock of the vehicle 105 to allow a user to access an area of the vehicle 105 designated by the user's authorization, e.g., a driver seat, a passenger seat, a rear seat, etc. Additionally, the vehicle computer 110 may actuate one or more vehicle components 125 to operate the vehicle 105 to meet the operating parameters specified by the user authorization. As another example, the vehicle computer 110 may actuate one or more vehicle components 125 to adjust the characteristics of one or more vehicles 105 specified by the user authorization.

In addition, the vehicle computer 110 can actuate the HMI 118 to display virtual buttons that the user can select to allow updating of the user data. In other words, the HMI 118 may activate one or more sensors that may detect that the user selects a virtual button to allow updating of user data. Upon detecting a user input, the HMI 118 may provide the user input to the vehicle computer 110 and the vehicle computer 110 may initiate updating of the user data based on the user input. If the user input allows for updating the user data, the vehicle computer 110 may update the user data based on determining that a trigger has occurred (as discussed below). If the user input does not allow for updating the user data, the vehicle computer 110 may maintain the user data, for example, until the user provides user input that allows for updating the user data. Maintaining user data means herein preventing changing user data.

In response to user input allowing updating of the user data, the vehicle computer 110 may update the user data at a future time. The future time is a time after the biometric enrollment of the user is completed. At a future time, the vehicle computer 110 may detect a user based on data from the sensor 115, e.g., return to the vehicle 105, remain in the vehicle 105 after expiration of a timer, etc. For example, the vehicle computer 110 may monitor data from the sensor 115 to detect that a user has moved into the field of view of the sensor.

Upon detection of the user at a future time, the vehicle computer 110 may actuate one or more sensors 115, for example, to obtain challenge biometric data of the user in substantially the same manner as discussed above with respect to obtaining the enrolled biometric data. As discussed above, the vehicle computer 110 may query the memory to identify user data for the user. The vehicle computer 110 can then authorize the user based on the challenge biometric data. That is, the vehicle computer 110 can use the challenge biometric data and the user data to perform the biometric authorization. Authorizing the user means determining that the user has rights to access the vehicle 105; failure of authorization occurs when it is determined that the user does not have permission to access the vehicle 105.

Biometric facial recognition is described herein as one non-limiting example of biometric authorization. Biometric facial recognition typically operates by calculating physiological characteristics of a human face and comparing the calculated physiological characteristics to stored physiological characteristics from a trained model. Physiological characteristics may include measures of facial features such as distance between pupils, distance between mouth angles, and nose length, among others. These metrics may be normalized by forming ratios of the measurements and stored as a training model. At the challenge time, an image of the person seeking access is acquired and processed to extract a physiological characteristic, which is then compared to the stored physiological characteristic to determine a match. Other non-limiting examples of biometric authorization may include fingerprint recognition, eye recognition, voice recognition, and the like.

The biometric authorization software may be executed on the vehicle computer 110 or the data (e.g., image data) of the sensor 115 may be uploaded to a remote server computer 140 that maintains a database of trained models for execution. An example of biometric authorization software is facial recognition software, such as a Face Tracker (Face Tracker). The face tracker is a facial recognition software library written in c++ and available on facetracker.

The facial recognition software may determine two sets of facial features corresponding to the challenge image and the enrollment image and determine a distance ratio between the features. The face recognition software may determine a confidence score by determining a match value to a previously determined face recognition feature. The user state may be determined by comparing the confidence score to a first confidence threshold. The first confidence threshold may be determined empirically, for example, based on tests that allow determining a threshold that minimizes the number of users that are not properly authorized.

Facial features include locations on the facial image such as inner and outer corners of the eyes and corners of the mouth. For example, a facial feature detection program (such as SURF in Dlib image processing library) may determine locations on the face that correspond to facial features (such as the center of each eye and the center of the mouth). The facial recognition software may compare the ratios and determine a match value based on the two sets of features. If the ratios between the feature sets match, meaning that they have the same value within empirically determined tolerances, the person in the challenge image is determined to be the same person as the person in the previously acquired registration image.

The matching value may be determined by determining the mean square error between the two sets of ratios. The matching distance ratio may reduce variance of facial feature measurements due to differences in distance from the camera and differences in pose between the two images.

The confidence score may be determined by multiplying the match value by a scalar constant that maps the match value to the interval (0, 1), where a value near 1 corresponds to a good match and a value near 0 corresponds to a bad match. Scalar constants can be determined empirically by acquiring and testing multiple enrollment and challenge images.

A confidence score greater than the first confidence threshold may indicate that the challenge biometric data matches the enrollment biometric data well, and therefore the user status should be "authorized". A confidence score less than or equal to the first confidence threshold may indicate that the challenge biometric data does not match the enrollment biometric data, and therefore the user status should be set to "unauthorized". A confidence score less than or equal to the first confidence threshold may indicate a problem faced by the challenge biometric data, such as an unauthorized user passing facial recognition, or an authorized user not passing facial recognition.

Upon determining an unauthorized user based on the challenge biometric data, the vehicle computer 110 may control a lock of the vehicle 105 to prevent the user from accessing the vehicle 105, e.g., the passenger compartment 200. Additionally or alternatively, the vehicle computer 110 may prevent actuation of one or more vehicle components 125, e.g., to prevent operation of the vehicle 105 and/or adjustment of one or more features of the vehicle 105. In addition, the vehicle computer 110 may prevent the challenge biometric data from being stored in a buffer (i.e., a portion of memory for temporary data storage). For example, the vehicle computer 110 may be programmed to delete the challenge biometric data (such that it is not stored in the buffer) upon determining that the user is not authorized. In this case, the vehicle computer 110 may maintain user data.

In addition, upon authenticating an unauthorized user (as discussed below), the vehicle computer 110 may be programmed to provide updated instructions to the user to provide updated enrollment biometric data, i.e., to reinitiate biometric enrollment. For example, the vehicle computer 110 can actuate the HMI 118 to output updated instructions to the user, e.g., via a display, speaker, etc. The updated instructions specify actions to be performed by the user, e.g., interacting with (such as facing and/or touching) the specified sensor, adjusting the user's pose with respect to the specified sensor, removing accessories (such as hats, glasses, etc.), speaking words or phrases, etc., allowing the vehicle computer 110 to obtain updated registered biometric data of the user.

Upon providing the updated instructions, the vehicle computer 110 may obtain updated registered biometric data, for example, in substantially the same manner as discussed above with respect to obtaining registered biometric data. The vehicle computer 110 may then update the user data to include the updated enrolled biometric data. For example, the vehicle computer 110 may update a lookup table to associate the user with the updated enrolled biometric data.

Upon authorizing the user based on the challenge biometric data, the vehicle computer 110 can control the vehicle 105 based on the user data (e.g., user authorization) of the user as described above. In addition, the vehicle computer 110 is programmed to determine whether to update the user data based on determining whether a trigger has occurred. The vehicle computer 110 can initiate a first timer upon authorizing the user based on the challenge biometric data. The duration of the first timer may be a predetermined amount of time determined empirically, for example, based on tests that allow determining an average amount of time that various triggers occur. The duration of the first timer may be stored, for example, in a memory of the vehicle computer 110. If the vehicle computer 110 determines that a trigger has occurred before the first timer expires, the vehicle computer 110 determines to update the user data (as discussed below). If the vehicle computer 110 determines that no trigger occurred before the first timer expires, the vehicle computer 110 determines not to update the user data. In this case, the vehicle computer 110 may maintain the user data and prevent the challenge biometric data from being stored in the buffer. For example, the vehicle computer 110 can be programmed to delete the challenge biometric data upon determining not to update the user data.

For the purposes of this document, a "trigger" is a particular condition that may be true or false at a given time. For example, the trigger may be expiration of a second timer. The duration of the second timer is a predetermined time based on, for example, a test that allows for determining the amount of time the user's biometric data (e.g., based on age, weight, etc.) may change. The duration of the second timer may be stored, for example, in a memory of the vehicle computer 110. The vehicle computer 110 may initiate a second timer when generating user data. Upon expiration of the second timer, the vehicle computer 110 may reset and initiate the second timer. If the second timer has expired, the vehicle computer 110 determines that no trigger has occurred. If the second timer has not expired, the vehicle computer 110 determines that a trigger has occurred.

As another example, the vehicle computer 110 can determine the trigger based on comparing the confidence score of the challenge biometric data to a second confidence threshold. The second confidence threshold is greater than the first confidence threshold. If the confidence score of the challenge biometric data exceeds the second confidence threshold, the vehicle computer 110 determines that no trigger has occurred. If the confidence score of the challenge biometric data is less than or equal to the second confidence threshold, the vehicle computer 110 determines that a trigger has occurred.

As yet another example, the vehicle computer 110 may determine the trigger based on detecting the presence of the user's variable characteristics. As used herein, a "variable characteristic" is a physical object that can be placed on a user and that is capable of changing the appearance of the user. Non-limiting examples of variable characteristics include hats, eyeglasses, scarves, masks, hoods, and the like. The vehicle computer 110 may receive and analyze the data of the sensor 115 to detect the presence of the user's variable characteristics, for example, using known image processing techniques. If the vehicle computer 110 detects a variable characteristic, the vehicle computer 110 determines that a trigger has occurred. If the vehicle computer 110 does not detect the variable characteristic, the vehicle computer 110 determines that no triggering has occurred.

As yet another example, the vehicle computer 110 may determine the trigger based on a confidence score trend. For example, the vehicle computer 110 can store the confidence scores of the corresponding challenge biometric data. The vehicle computer 110 may analyze the stored confidence scores, for example, using known data processing techniques, to determine a confidence score trend, i.e., the change in the stored confidence scores over time. The vehicle computer 110 may then compare the confidence score trend to a trend threshold. The trend threshold may be stored in, for example, the memory of the vehicle computer 110. The trend threshold may specify a maximum rate of change above which the vehicle computer 110 determines that a trigger has occurred. The trend threshold may be empirically determined, for example, based on various changes that allow the confidence score to be determined over various amounts of time, the various changes indicating a decrease in the accuracy of the biometric authorization of the respective user. If the confidence score trend is greater than or equal to the trend threshold, the vehicle computer 110 may determine that a trigger has occurred. If the confidence score trend is less than the trend threshold, the vehicle computer 110 may determine that no triggering has occurred.

Upon determining that the trigger has occurred, the vehicle computer 110 can store the challenge biometric data in a buffer. The vehicle computer may encrypt the challenge biometric data prior to storing the challenge biometric data. For example, the vehicle computer 110 can input the challenge biometric data into an encryption program that encrypts the challenge biometric data based on a key.

For example, the vehicle computer 110 may input the challenge biometric data and the key into the ranking program. The permutation program (sometimes referred to as a permutation generator) may be a conventional encryption program, for example, a program including the Advanced Encryption Standard (AES) algorithm. The ranking program may rearrange the data in the challenge biometric data in the order specified by the keys. That is, the permutation program performs one or more of substitution, sequential change in message segments, or mathematical operation on each portion of the challenge biometric data according to the block cipher generated from the key. For example, if the permutation program is an AES algorithm, the vehicle computer 110 may identify a 16-bit portion of the challenge biometric data, apply an exclusive-or function (i.e., an XOR function) between the 16-bit portion and a portion of the key to generate a first round of strings, and arrange the first round of strings into a 4x4 grid. The vehicle computer 110 may then perform one of the following: (1) shifting respective positions of bits within rows of the 4x4 grid, (2) replacing one of the bits in the 4x4 grid with a known replacement bit, (3) shifting respective positions of bits within columns of the 4x4 grid; or (4) scaling the value of the bit by a predetermined integer. The shift, scaling and replacement algorithms are determined according to a specific permutation procedure. The vehicle computer 110 can perform a ranking procedure on the polling biometric data to encrypt the polling biometric data.

The vehicle computer 110 may retrieve the key, for example, from a memory of the vehicle computer 110. The key is a predetermined set of alphanumeric characters. For example, the key may be an encryption key used in conventional encryption programs (e.g., diffie-Hillman exchange, RSA encryption, AES, etc.). The key may be specified, for example, by the manufacturer of the vehicle computer 110. The vehicle computer 110 may receive the key from the remote server computer 140, for example, via the network 135.

As another example, the encrypted challenge biometric data may be a hash. A "hash" is the output of a "hash" function that outputs a unique string of alphanumeric bits for a particular input. That is, although the hash appears to be random, only certain inputs may produce a particular hash. In such an example, the vehicle computer 110 may input the challenge biometric data as a secure hash algorithm 1 (SHA-1) into a cryptographic hash function to generate a hash (i.e., a fixed-size encrypted bit string).

Upon storing the challenge biometric data in the buffer, the vehicle computer 110 is programmed to initiate a third timer. The duration of the third timer may be a predetermined amount of time determined empirically, e.g., based on a test that allows determining an average amount of time for authenticating a user (discussed below). The duration of the third timer may be stored, for example, in a memory of the vehicle computer 110.

If the vehicle computer 110 does not authenticate the user before the third timer expires, the vehicle computer 110 deletes the challenge biometric data from the buffer and maintains the user data. In addition, the vehicle computer 110 may be programmed to provide instructions to the user to reinitiate biometric enrollment, as discussed above. The vehicle computer 110 may then update the user data as updated enrolled biometric data is obtained, as discussed above.

If the vehicle computer 110 authenticates the user before the third timer expires, the vehicle computer 110 updates the user data based on the challenge biometric data. For example, the vehicle computer 110 can update a lookup table to associate the user with the challenge biometric data. In this case, the vehicle computer 110 may access the buffer and decrypt the poll biometric data. For example, the vehicle computer 110 can rearrange the retrieved challenge biometric data by using the key to decrypt and recover the challenge biometric data. As another example, the retrieved challenge biometric data may be a hash, as discussed above. In such an example, the vehicle computer 110 may rearrange the hash by using the hash function and the key to recalculate the challenge biometric data. Upon updating the user data, the vehicle computer 110 may delete the challenge biometric data from the buffer. Additionally or alternatively, the vehicle computer 110 may provide additional instructions to the user to provide biometric data in addition to the challenge data retrieved from the buffer, for example, in substantially the same manner as discussed above with respect to providing updated instructions.

The vehicle computer 110 is programmed to authenticate the user based on the authenticator. Authenticating a user means verifying or proving the identity of the user; authentication failure occurs when it is determined that the identity of the user cannot be verified (i.e., demonstrated). As one example, the authenticator may be a second confidence threshold. In this case, the vehicle computer 110 can authenticate the user based on comparing the confidence score of the challenge biometric data to a second confidence threshold. If the confidence score of the challenge biometric data exceeds the second confidence threshold, the vehicle computer 110 authenticates the user. If the confidence score of the challenge biometric data is less than or equal to the second confidence threshold, the vehicle computer 110 determines not to authenticate the user.

As another example, the authenticator may be an authorized portable device 145. In this case, the vehicle computer 110 may authenticate the user based on detecting the authorized portable device 145 within a predetermined distance of the vehicle 105. For example, the vehicle computer 110 may detect the portable device 145 based on detecting the return of the RF signal, as discussed above. In addition, the vehicle computer 110 may receive location data from the portable device 145, as discussed above. Upon detection of the portable device 145, the vehicle computer 110 may compare the distance between the portable device 145 and the vehicle computer 110 to a predetermined distance. The distance is a linear distance between the geographic coordinates specified by the location data of the portable device 145 and the geographic coordinates specified by the geofence of the passenger compartment 200. The predetermined distance specifies a maximum distance from the vehicle 105 within which the vehicle computer 110 may identify the user. The predetermined distance may be determined empirically, for example, based on tests that allow determination of a distance from the vehicle 105 that indicates that a detected user may seek access to the vehicle 105. The predetermined distance may be stored in, for example, a memory of the vehicle computer 110.

If the distance is greater than the predetermined distance, the vehicle computer 110 may ignore the detected portable device 145. In this case, the vehicle computer 110 determines not to authenticate the user. If the distance is less than or equal to the predetermined distance, the vehicle computer 110 may authorize the portable device 145. Upon authorizing the portable device 145, the vehicle computer 110 can be programmed to authenticate the user.

Authorizing the portable device 145 means that the vehicle computer 110 determines that the portable device 145 has the right to communicate with the vehicle computer 110; a failure of authorization occurs upon determining that portable device 145 has no authorization to communicate with vehicle computer 110. The vehicle computer 110 may be programmed, for example, to authorize the portable device 145 based on a key (e.g., a combination of numbers and/or characters) received from the portable device 145. For example, the vehicle computer 110 may authorize the portable device 145 based on determining that the received key matches an expected key stored in a memory of the vehicle computer 110 (e.g., known to parties such as a dealer (e.g., a transactor) of the vehicle 105). As another example, authorized portable device 145 may have an RFID tag or the like that uniquely designates a user from other potential users who often use vehicle 105. The RFID signal may be associated with a user in the memory of the vehicle computer 110. As another example, an authorized portable device 145 can be paired with, for example, HMI 118. The authorized portable device 145 may be associated with a user in memory.

As another example, the authenticator may be a user input specifying identification information (e.g., a user name and password) of the user. For example, the vehicle computer 110 can actuate the HMI 118 to display virtual buttons corresponding to alphanumeric characters that the user can select to provide identification information. In other words, the HMI 118 may activate a sensor that may detect a user selecting a virtual button to specify the user's identification information. Upon detecting a user input, the HMI 118 may provide the user input to the vehicle computer 110 and the vehicle computer 110 may authenticate the user based on the user input. For example, the vehicle computer 110 may compare the identification information specified by the user input with the identification information stored in, for example, a memory of the vehicle computer 110. If the retrieved identification information matches the stored identification information, the vehicle computer 110 determines to authenticate the user. In this context, "matching" means that the retrieved identification information identifies the same user as stored identification information. If the retrieved identification information does not match the stored identification information, the vehicle computer 110 determines that the user is not authenticated.

As yet another example, the authenticator may be the helper challenge biometric data. Helper challenge biometric data is herein meant to refer to a different type of biometric data than challenge biometric data. The helper challenge biometric data may be obtained after the challenge biometric data is obtained. For example, to authenticate the user, the vehicle computer 110 can actuate the HMI 118 to provide instructions to the user to provide the auxiliary challenge biometric data, e.g., via a display, speaker, etc. As one non-limiting example, the challenge biometric data may include facial characteristics of the user, and the auxiliary challenge biometric data may include a fingerprint of the user.

The vehicle computer 110 can be programmed to perform biometric authorization of the user based on the helper challenge biometric data. For example, the user data may include helper enrollment biometric data, which is the same type of biometric data as helper challenge biometric data. The vehicle computer 110 may determine the confidence score of the helper challenge biometric data, for example, in substantially the same manner as discussed above with respect to determining the confidence score of the challenge biometric data, and may compare the confidence score of the helper challenge biometric data to the first confidence threshold. If the confidence score of the helper challenge biometric data exceeds the first confidence threshold, the vehicle computer 110 can authenticate the user. If the confidence score of the helper challenge biometric data is less than or equal to the first confidence threshold, the vehicle computer 110 can determine not to authenticate the user.

In examples where the vehicle computer 110 detects a trigger prior to authenticating the user, the vehicle computer 110 may be programmed to update the user data (as discussed above) upon authenticating the user. In examples where the vehicle computer 110 authenticates the user prior to detecting the trigger, the vehicle computer 110 may obtain updated challenge biometric data of the user, for example, in substantially the same manner as discussed above with respect to obtaining the challenge biometric data.

The vehicle computer 110 can be programmed to perform biometric authorization of the user based on the updated challenge biometric data. That is, the vehicle computer 110 can use the updated challenge biometric data and user data to perform the biometric authorization. The vehicle computer 110 can determine a confidence score for the updated challenge biometric data, e.g., as discussed above with respect to determining the confidence score for the challenge biometric data. The vehicle computer 110 can then compare the confidence score of the updated challenge biometric data to a second confidence threshold. If the confidence score of the updated challenge biometric data exceeds the second confidence threshold, the vehicle computer 110 may update the user data to include the updated challenge biometric data. In this case, the vehicle computer 110 may control the vehicle 105 based on the updated user data of the user, as discussed above. If the confidence score of the updated challenge biometric data is less than or equal to the second confidence threshold, the vehicle computer 110 can maintain the user data. In this case, the vehicle computer 110 may provide instructions to the user to provide updated enrollment biometric data, as discussed above.

Fig. 4A is a first portion of a flowchart of an exemplary process 400 (a second portion is shown in fig. 4B because the entire flowchart would not be suitable for a single drawing sheet) performed in the vehicle computer 110 according to program instructions stored in its memory for biometric authorization of a user. Process 400 includes a plurality of blocks that may be performed in the order shown. Alternatively or additionally, process 400 may include fewer blocks or may include blocks performed in a different order.

Process 400 begins in block 402. In block 402, the vehicle computer 110 determines whether the user is in the passenger compartment 200 of the vehicle 105. The vehicle computer 110 may detect that the user is in the passenger compartment 200 based on data from the interior sensors 115b, as discussed above. If the vehicle computer 110 determines that the user is in the passenger compartment 200, the process 400 continues in block 404. Otherwise, the process 400 remains in block 402.

In block 404, the vehicle computer 110 determines whether user data for the user is available, such as stored in a memory of the vehicle computer 110, as discussed above. If user data for the user is available, process 400 continues in block 410. Otherwise, the process 400 continues in block 406.

In block 406, the vehicle computer 110 generates user data for the user. The vehicle computer 110 may actuate one or more internal sensors 115b to obtain the enrolled biometric data of the user, as discussed above. The vehicle computer 110 then associates the enrolled biometric data with the user, as discussed above. Additionally, the vehicle computer 110 can determine the user authorization based on detecting user input specifying the user authorization via the HMI 118, as discussed above. The vehicle computer 110 can then associate the user authorization with the user. The process 400 continues in block 408.

In block 408, the vehicle computer 110 controls one or more vehicle components 125 based on the user data of the user, as discussed above. The process 400 continues in block 410.

In block 410, the vehicle computer 110 obtains challenge biometric data of the user. Upon detecting that the user is in the passenger compartment 200, via data from the external sensors 115a, for example, approaching the vehicle 105, or via data from the internal sensors 115b, the vehicle computer 110 may actuate one or more of the sensors 115 to obtain the user's challenge biometric data, as discussed above. The process 400 continues at block 412.

In block 412, the vehicle computer 110 determines whether to authorize the user based on the challenge biometric data. The vehicle computer 110 performs biometric authorization for the user to determine a confidence score for the challenge biometric data, as discussed above. The vehicle computer 110 compares the confidence score of the challenge biometric data to a first confidence threshold, as discussed above. If the confidence score of the challenge biometric data exceeds the first confidence threshold, then the process 400 continues in block 422. Otherwise, the process 400 continues in block 414.

In block 414, the vehicle computer 110 determines whether the user is authenticated. The vehicle computer 110 may authenticate the user based on detecting the authenticator, as discussed above. If the vehicle computer 110 determines to authenticate the user, the process 400 continues in block 416. Otherwise, the process 400 continues in block 420.

In block 416, the vehicle computer 110 provides instructions to the user, as discussed above. The instructions specify actions that cause the user to provide updated enrolled biometric data, as discussed above. The process 400 continues at block 418.

In block 418, the vehicle computer 110 updates the user data to include the updated enrolled biometric data, as discussed above. The process 400 continues back to block 408.

In block 420, the vehicle computer 110 prevents the user from controlling and/or accessing the vehicle 105, as discussed above. After block 420, process 400 ends.

In block 422, the vehicle computer 110 controls one or more vehicle components 125 based on the user data of the user, as discussed above. The process 400 continues in block 424.

In block 424, the vehicle computer 110 determines whether the user is authenticated. Block 424 is substantially the same as block 414 of process 400 and will not be further described to avoid redundancy. If the vehicle computer 110 determines to authenticate the user, the process 400 continues in block 434. Otherwise, the process 400 continues in block 426.

In block 426, the vehicle computer 110 determines whether a trigger has occurred, as discussed above. As set forth above, the biometric data that indicates that the user's user data requires updating of the user is triggered. If the vehicle computer 110 determines that a trigger has occurred, the process 400 continues in block 442. Otherwise, the process 400 continues in block 428.

In block 428, the vehicle computer 110 determines whether the first timer has expired. As set forth above, the vehicle computer 110 can initiate the first timer upon authorizing the user based on the challenge data. If the first timer has expired, the process 400 continues in block 430. Otherwise, the process 400 returns to block 424.

In block 430, the vehicle computer 110 deletes the challenge biometric data. That is, the vehicle computer prevents the challenge biometric data from being stored in the buffer. The process 400 continues in block 432.

In block 432, the vehicle computer 110 maintains the user data. That is, the vehicle computer 110 continues to operate the vehicle 105 based on the user data. The vehicle computer 110 may provide instructions to the user to provide updated enrolled biometric data, as discussed above. After block 432, the process 400 ends.

Turning now to FIG. 4B, following block 424 shown in FIG. 4A, in block 434, the vehicle computer 110 obtains updated challenge biometric data of the user. Block 434 is substantially the same as block 410 of process 400 and will not be further described to avoid redundancy. The process 400 continues in block 436.

In block 436, the vehicle computer 110 determines whether the user is authorized based on the updated challenge biometric data. The vehicle computer 110 performs biometric authorization for the user to determine a confidence score for the updated challenge biometric data, as discussed above. The vehicle computer 110 compares the confidence score of the updated challenge biometric data to a second confidence threshold, as discussed above. If the confidence score of the updated challenge biometric data exceeds the second confidence threshold, then process 400 continues in block 438. Otherwise, the process 400 continues in block 432.

In block 438, the vehicle computer 110 updates the user data to include the updated challenge biometric data, as discussed above. The process 400 continues in block 440.

In block 440, the vehicle computer 110 controls one or more vehicle components 125 based on the updated user data of the user, as discussed above. After block 440, the process 400 ends.

In block 442, the vehicle computer 110 stores the challenge biometric data in a buffer, as discussed above. The process 400 continues at block 444.

In block 444, the vehicle computer 110 determines whether the user is authenticated. Block 434 is substantially the same as block 414 of process 400 and will not be further described to avoid redundancy. If the vehicle computer 110 determines to authenticate the user, the process 400 continues in block 446. Otherwise, the process 400 continues in block 450.

In block 446, the vehicle computer 110 updates the user data to include the challenge biometric data, as discussed above. The process 400 continues at block 448.

In block 448, the vehicle computer 110 controls one or more vehicle components 125 based on the updated user data of the user, as discussed above. After block 448, the process 400 ends.

In block 450, the vehicle computer 110 determines whether the third timer has expired. As set forth above, the vehicle computer 110 may initiate a third timer when the challenge biometric data is stored in the buffer. If the third timer has not expired, the process 400 returns to block 444. If the third timer has expired, the process 400 continues in block 452.

In block 452, the vehicle computer 110 resets the buffer. That is, the vehicle computer 110 deletes the challenge biometric data from the buffer. The process 400 continues in block 432.

As used herein, the adverb "substantially" means that the shape, structure, measurement, quantity, time, etc. may deviate from the precisely described geometry, distance, measurement, quantity, time, etc. due to imperfections in materials, machining, manufacturing, data transmission, computational speed, etc.

Generally, what is describedThe computing system and/or device may employ any of a variety of computer operating systems, including but in no way limited to the following versions and/or categories: ford (force)

Application; appLink/Smart Device Link middleware; microsoft->

An operating system; microsoft->

An operating system; unix operating systems (e.g., +.A.issued by Oracle corporation on the coast of Redwood, california >

An operating system); an AIX UNIX operating system issued by International Business Machines company of Armonk, N.Y.; a Linux operating system; mac OSX and iOS operating systems published by apple Inc. of Copico, calif.; blackberry operating systems issued by blackberry limited of smooth iron, canada; and android operating systems developed by *** corporation and open cell phone alliance; or +.>

CAR infotainment platform. Examples of computing devices include, but are not limited to, a machine-mounted first computer, a computer workstation, a server, a desktop computer, a notebook computer, a laptop computer, or a handheld computer, or some other computing system and/or device.

Computers and computing devices typically include computer-executable instructions, where the instructions may be capable of being executed by one or more computing devices, such as those listed above. Computer-executable instructions may be compiled or interpreted from a computer program created using a variety of programming languages and/or techniques, including, but not limited to, java, alone or in combination ^TM 、C、C++, matlab, simulink, stateflow, visual Basic, java Script, perl, HTML, etc. Some of these applications may be compiled and executed on virtual machines such as Java virtual machines, dalvik virtual machines, and the like. In general, a processor (e.g., a microprocessor) receives instructions, e.g., from a memory, a computer-readable medium, etc., and executes the instructions, thereby performing one or more processes, including one or more of the processes described herein. Such instructions and other data may be stored and transmitted using a variety of computer-readable media. Files in a computing device are typically a collection of data stored on a computer readable medium such as a storage medium, random access memory, or the like.

The memory may include a computer-readable medium (also referred to as a processor-readable medium) including any non-transitory (e.g., tangible) medium that participates in providing data (e.g., instructions) that may be read by a computer (e.g., by a processor of a computer). Such a medium may take many forms, including but not limited to, non-volatile media and volatile media. Non-volatile media may include, for example, optical or magnetic disks, and other persistent memory. Volatile media may include, for example, dynamic Random Access Memory (DRAM), which typically constitutes a main memory. Such instructions may be transmitted by one or more transmission media, including coaxial cables, copper wire and fiber optics, including the wires that comprise a system bus coupled to the processor of the ECU. Common forms of computer-readable media include, for example, RAM, PROM, EPROM, FLASH-EEPROM, any other memory chip or cartridge, or any other medium from which a computer can read.

The database, data repository, or other data store described herein may include various mechanisms for storing, accessing, and retrieving various data, including hierarchical databases, file sets in file systems, application databases in proprietary formats, relational database management systems (RDBMSs), and the like. Each such data store is typically included within a computing device employing a computer operating system (such as one of those mentioned above) and is accessed via a network in any one or more of a variety of ways. The file system is accessible from a computer operating system and may include files stored in various formats. In addition to languages used to create, store, edit, and execute stored programs (e.g., the PL/SQL language described above), RDBMS also typically employ Structured Query Language (SQL).

In some examples, system elements may be implemented as computer-readable instructions (e.g., software) on one or more computing devices (e.g., servers, personal computers, etc.), stored on a computer-readable medium (e.g., disk, memory, etc.) associated therewith. The computer program product may include such instructions stored on a computer-readable medium for implementing the functions described herein.

With respect to the media, processes, systems, methods, heuristics, etc. described herein, it should be understood that, while the steps of such processes, etc. have been described as occurring in a certain ordered sequence, such processes could be practiced by executing the steps in an order different than that described herein. It should also be understood that certain steps may be performed concurrently, other steps may be added, or certain steps described herein may be omitted. In other words, the description of the processes herein is provided for the purpose of illustrating certain embodiments and should not be construed as limiting the claims in any way.

Accordingly, it is to be understood that the above description is intended to be illustrative, and not restrictive. Many embodiments and applications other than the examples provided will be apparent to those of skill in the art upon reading the above description. The scope of the invention should be determined, not with reference to the above description, but should instead be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled. It is contemplated and anticipated that future developments will occur in the arts discussed herein, and that the disclosed systems and methods will be incorporated into such future embodiments. In summary, it is to be understood that the invention is capable of modification and variation and is limited only by the following claims.

Unless explicitly indicated to the contrary herein, all terms used in the claims are intended to be given their ordinary and customary meaning as understood by those skilled in the art. In particular, the use of singular articles such as "a," "an," "the," and the like are to be construed to recite one or more of the indicated elements unless a claim recites an explicit limitation to the contrary.

According to the present invention there is provided a system having a computer comprising a processor and a memory, the memory storing instructions executable by the processor to: upon authorizing the user via the challenge biometric data, determining to update the user data based on the determining trigger; updating the user data based on authenticating the user using the challenge biometric data upon determining the trigger prior to authenticating the user; updating the user data with the updated challenge biometric data based on the confidence score of the updated challenge biometric data exceeding a threshold upon determining the trigger after authenticating the user; and controlling the structural component based on the updated user data.

According to an embodiment, the triggering includes one or more of expiration of a timer, a confidence score of the challenge biometric data being less than a second confidence threshold, or presence of a variable characteristic of the user.

According to one embodiment, the instructions further comprise instructions for: upon detecting the trigger, storing the challenge biometric data in a buffer based on a confidence score of the challenge biometric data exceeding the threshold; and deleting the challenge biometric data from the buffer when the user data is updated with the challenge biometric data.

According to one embodiment, the instructions further comprise instructions for: the challenge biometric data is deleted from the buffer based on the user not being authenticated within a predetermined time of storing the challenge biometric data in the buffer.

According to one embodiment, the instructions further comprise instructions for: the challenge biometric data is prevented from being stored in a buffer based on a determination that the user data is not updated.

According to one embodiment, the instructions further comprise instructions for: storing the challenge biometric data in the buffer is prevented based on the confidence score of the challenge biometric data not exceeding the threshold.

According to one embodiment, the instructions further comprise instructions for: the challenge biometric data is encrypted prior to storing the challenge biometric data in the buffer.

According to one embodiment, the instructions further comprise instructions for: retrieving the encrypted challenge biometric data from the buffer upon determining to update the user data based on the challenge biometric data; and decrypting the challenge biometric data prior to updating the user data.

According to one embodiment, the instructions further comprise instructions for: authorizing the user based on determining that a confidence score of the challenge biometric data is greater than the threshold.

According to one embodiment, the instructions further comprise instructions for: authenticating the user based on determining that the confidence score of the challenge biometric data is greater than a second confidence threshold, the second confidence threshold being greater than the threshold.

According to one embodiment, the instructions further comprise instructions for: authenticating the user based on helper challenge biometric data, the helper challenge biometric data being a different type of biometric data than the challenge biometric data.

According to one embodiment, the instructions further comprise instructions for: authentication is performed based on user input.

According to one embodiment, the instructions further comprise instructions for: authentication is performed based on detecting an authorized device.

According to one embodiment, the instructions further comprise instructions for: the user data is additionally updated based on user input.

According to one embodiment, the instructions further comprise instructions for: providing instructions to the user to provide updated biometric data based on the confidence score of the challenge biometric data not exceeding the threshold; and updating the user data using the updated biometric data when the updated biometric data is obtained.

According to the invention, a method comprises: upon authorizing the user via the challenge biometric data, determining to update the user data based on determining the trigger; updating the user data based on authenticating the user using the challenge biometric data upon determining the trigger prior to authenticating the user; updating the user data with the updated challenge biometric data based on the confidence score of the updated challenge biometric data exceeding a threshold upon determining the trigger after authenticating the user; and controlling the structural component based on the updated user data.

In one aspect of the invention, the triggering includes one or more of expiration of a timer, a confidence score of the challenge biometric data being less than a second confidence threshold, or presence of a variable characteristic of the user.

In one aspect of the invention, the method comprises: storing the first biometric data in a buffer based on a confidence score of the challenge biometric data exceeding the threshold upon detection of the trigger; and deleting the challenge biometric data from the buffer when the user data is updated with the challenge biometric data.

In one aspect of the invention, the method includes deleting the challenge biometric data from the buffer based on the user not being authenticated within a predetermined time of storing the challenge biometric data in the buffer.

In one aspect of the invention, the method includes authorizing the user based on determining that a confidence score of the challenge biometric data is greater than the threshold.

Claims

1. A method, comprising:

upon authorizing the user via the challenge biometric data, determining to update the user data based on determining the trigger;

Updating the user data based on authenticating the user using the challenge biometric data upon determining the trigger prior to authenticating the user;

updating the user data using the updated challenge biometric data based on a confidence score of the updated challenge biometric data exceeding a threshold upon determining the trigger after authenticating the user; and

controlling the structural component based on the updated user data.

2. The method of claim 1, wherein the trigger comprises one or more of expiration of a timer, a confidence score of the challenge biometric data being less than a second confidence threshold, or presence of a variable characteristic of the user.

3. The method of claim 1, further comprising:

upon detecting the trigger, storing the challenge biometric data in a buffer based on a confidence score of the challenge biometric data exceeding the threshold; and

the challenge biometric data is deleted from the buffer when the user data is updated with the challenge biometric data.

4. The method of claim 3, further comprising deleting the challenge biometric data from the buffer based on the user not being authenticated within a predetermined time of storing the challenge biometric data in the buffer.

5. The method of claim 3, further comprising preventing storing the challenge biometric data in the buffer based on determining not to update the user data.

6. The method of claim 3, further comprising preventing storing the challenge biometric data in the buffer based on the confidence score of the challenge biometric data not exceeding the threshold.

7. The method of claim 3, further comprising encrypting the challenge biometric data prior to storing the challenge biometric data in the buffer.

8. The method of claim 7, further comprising:

retrieving the encrypted challenge biometric data from the buffer upon determining to update the user data based on the challenge biometric data; and

decrypting the challenge biometric data prior to updating the user data.

9. The method of claim 1, further comprising authorizing the user based on determining that a confidence score of the challenge biometric data is greater than the threshold.

10. The method of claim 9, further comprising authenticating the user based on determining that the confidence score of the challenge biometric data is greater than a second threshold, the second threshold being greater than the threshold.

11. The method of claim 1, further comprising authenticating the user based on helper biometric data, the helper biometric data being a different type of biometric data than the challenge biometric data.

12. The method of claim 1, further comprising authenticating the user based on one of receiving user input or detecting an authorized device.

13. A computer programmed to perform the method of any one of claims 1 to 12.

14. A computer program product comprising instructions for performing the method of any of claims 1 to 12.

15. A vehicle comprising a computer programmed to perform the method of any one of claims 1 to 12.